Iptables-Fail2ban处理bind 非法攻击

 早上发现DNS流量有些异常,查了query.log日志如下:

9-Apr-2013 13:49:33.418 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)

09-Apr-2013 13:49:33.475 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.487 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.516 queries: info: client 70.39.93.72#49940: view other_user: query: isc.org IN ANY +ED (163.177.24.74)
09-Apr-2013 13:49:33.557 queries: info: client 185.12.119.16#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.588 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.657 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.663 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.758 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.802 queries: info: client 70.39.93.72#49940: view other_user: query: isc.org IN ANY +ED (163.177.24.74)
09-Apr-2013 13:49:33.824 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.848 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)

处理方法:

添加iptables规则(需要添加connlimit模块),限制单IP并发请求数:

  
  
  
  
  1. -A INPUT -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec --limit-burst 200 -j DROP  
  2. -A INPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m connlimit --connlimit-above 5 --connlimit-mask 32 -j DROP  
  3. -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m connlimit --connlimit-above 5 --connlimit-mask 32 -j DROP  

一、首先检查bind本身安全,利用bind添加acl,同时限制递归查询,添加黑名单。

  
  
  
  
  1. acl "mynetwork" { 
  2. 183.61.81.0/25
  3. 119.38.123.0/25
  4. 180.60.116.0/25
  5. 163.172.24.0/25
  6. 127.0.0.1/32
  7. }; 
  8. acl "blackhats" { 
  9. 108.162.204.88
  10. 184.168.72.113
  11. 93.170.127.96
  12. 72.46.155.84
  13. 178.33.217.2
  14. 72.46.132.122
  15. 78.159.111.197
  16. 192.96.200.41
  17. }; 

全局设置变更:

allow-query { mynetwork; };  #这里设置自己网络,zone里面可以设置成any

allow-recursion { mynetwork; };   #针对递归进行处理
#allow-query-cache {mynetwork;};  #针对查询缓存处理

        version                     "hello babay"; #隐藏版本

        edns-udp-size 1024;  # 设置udp消息大小,单位字节

        max-udp-size 4096; #设置最大udp消息大小,单位字节

    blackhole {blackhats;};#设置黑名单

二、利用fail2ban过滤日志,调用iptables限制指定ip地址

下载fail2ban: https://github.com/fail2ban

或http://sourceforge.net/projects/fail2ban/

我这里用的是fail2ban-0.8.4,解压包后

执行python setup.py install安装完成。

/etc/fail2ban/jail.conf     过滤相关服务配置文件

/etc/fail2ban/fail2ban.conf   主配置文件,设置sock和日志文件

/etc/fail2ban/filter.d/   相应服务的过滤规则文件路径

/etc/fail2ban/action.d/  相应服务的动作配置文件路径

jail.conf添加指定服务参数:

  
  
  
  
  1. [named-refused-udp] 
  2. enabled  = true 
  3. filter   = named-refused  #指定过滤规则
  4. action   = iptables-multiport[name=Named, port=53, protocol=udp] 
  5.            sendmail-whois[name=Named, [email protected]
  6. logpath  = /opt/soft/bind/log/query.log  #指定过滤日志
  7. bantime  = 3600 #封锁时间,单位秒,
  8. findtime  = 100  #100秒内超过次数屏蔽,单位秒
  9. maxretry = 3  #最大尝试次数
  10. ignoreip = 127.0.0.1 
  11.  
  12. [named-refused-tcp] 
  13. enabled  = true 
  14. filter   = named-refused 
  15. action   = iptables-multiport[name=Named, port=53, protocol=tcp] 
  16.            sendmail-whois[name=Named, [email protected]
  17. logpath  = /opt/soft/bind/log/query.log 
  18. bantime  = 360000 
  19. findtime  = 100 
  20. maxretry = 3 
  21. ignoreip = 127.0.0.1 

添加过滤规则:named-refused.conf

  
  
  
  
  1. # Fail2Ban configuration file for named (bind9). Trying to generalize the 
  2. #          structure which is general to capture general patterns in log 
  3. #          lines to cover different configurations/distributions 
  4. # 
  5. # $Revision: 730 $ 
  6. # 
  7.   
  8. [Definition] 
  9.   
  10. # 
  11. # Daemon name 
  12. _daemon=named 
  13.   
  14. # 
  15. # Shortcuts for easier comprehension of the failregex 
  16. __pid_re=(?:\[\d+\]) 
  17. __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:? 
  18. __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:) 
  19. #       hostname       daemon_id         spaces 
  20. # this can be optional (for instance if we match named native log files) 
  21. __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)? 
  22.   
  23. # Option: failregex 
  24. # Notes.: regex to match the password failures messages in the logfile. 
  25. # Values: TEXT 
  26. # 
  27. failregex = %(__line_prefix)sclient <HOST>#.+: query: (baidu.com|isc.org) IN ANY \+ED* 
  28.   
  29. # Option:  ignoreregex 
  30. # Notes.:  regex to ignore. If this regex matches, the line is ignored. 
  31. # Values:  TEXT 
  32. # 
  33. ignoreregex = 

执行动作文件#egrep -v '^#|^$' /etc/fail2ban/action.d/iptables-multiport.conf 

  
  
  
  
  1. [Definition] 
  2. actionstart = iptables -N fail2ban-<name> 
  3.               iptables -A fail2ban-<name> -j RETURN 
  4.               iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> 
  5. actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> 
  6.              iptables -F fail2ban-<name> 
  7.              iptables -X fail2ban-<name> 
  8. actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> 
  9. actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP 
  10. actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP 
  11. [Init] 
  12. name = default 
  13. port = ssh 
  14. protocol = tcp 

fail2ban-client  start或fail2ban-server 启动服务

我们看下效果吧,已经有拉黑的IP了。

#fail2ban-client  status named-ddos-tcp
Status for the jail: named-ddos-tcp
|- filter
|  |- File list: /opt/soft/bind/log/query.log 
|  |- Currently failed: 5
|  `- Total failed: 299
`- action
   |- Currently banned: 5
   |  `- IP list: 107.20.206.69 94.75.243.137 61.147.112.29 178.32.244.170 61.147.112.32   (国外的IP已经拉黑啦)
   `- Total banned: 15

Chain OUTPUT (policy ACCEPT 163M packets, 203G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Iptables的也已经自动添加了
Chain fail2ban-Named (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   576 DROP       all  --  *      *       174.142.207.122      0.0.0.0/0           
  241 15424 DROP       all  --  *      *       61.147.120.25        0.0.0.0/0           
   27  1728 DROP       all  --  *      *       61.147.112.32        0.0.0.0/0           
  115  7360 DROP       all  --  *      *       178.32.244.170       0.0.0.0/0           
  119  7616 DROP       all  --  *      *       61.147.112.29        0.0.0.0/0           
   51  3264 DROP       all  --  *      *       94.75.243.137        0.0.0.0/0           
 2206  141K DROP       all  --  *      *       107.20.206.69        0.0.0.0/0           
12829  833K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0    

查阅资料地址:

http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.html

http://www.isc.org/software/bind/documentation

http://www.minihowto.eu/protectio-against-isc-org-any-attack-dns-attack-isc-org-any-query

http://www.bergercity.de/tag/bind/

http://sourceforge.net/projects/fail2ban/

http://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_0.7.x#Iptables_action_setup

 

 

你可能感兴趣的:(bind,ddos,非法攻击)